A system crash caused by an anti-virus software

OSR_Community_User · November 26, 2010, 3:28am

Hi, all
My winxp sp3 crashed after I rename a directory in root directory and do some
other operations. There is a file in the directory. The length of its name is
252 characters. The length of the directory’s name is 3 characters. The
directory and the file both belong to my own file system. I can’t figure out
what’s wrong with it. Just hope someone can help me. Thanks in advance.
The following is the information from windbg:
kd> !analyze -v
ERROR: FindPlugIns 8007007b
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e18ad000, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 80537c53, If non-zero, the instruction address which referenced the bad
memory
address.
Arg4: 00000001, (reserved)
Debugging Details:

*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information. Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: kernel32!pNlsUserInfo                         ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information. Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: kernel32!pNlsUserInfo                         ***
***                                                                   ***
*************************************************************************
WRITE_ADDRESS: e18ad000 Paged pool
FAULTING_IP:
nt!memmove+33
80537c53 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
MM_INTERNAL_CODE: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: explorer.exe
TRAP_FRAME: ef94468c – (.trap 0xffffffffef94468c)
ErrCode = 00000002
eax=6421ed5c ebx=81bd7568 ecx=208744a9 edx=00000000 esi=e204dab8 edi=e18ad000
eip=80537c53 esp=ef944700 ebp=ef944708 iopl=0         nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000             efl=00010206
nt!memmove+0x33:
80537c53 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
Resetting default scope
LAST_CONTROL_TRANSFER: from 804f8b9d to 80528bdc
STACK_TEXT:
ef9441c8 804f8b9d 00000003 e18ad000 00000000 nt!RtlpBreakWithStatusInstruction
ef944214 804f978a 00000003 00000000 c070c568 nt!KiBugCheckDebugBreak+0x19
ef9445f4 804f9cb5 00000050 e18ad000 00000001 nt!KeBugCheck2+0x574
ef944614 8051dc4f 00000050 e18ad000 00000001 nt!KeBugCheckEx+0x1b
ef944674 8054151c 00000001 e18ad000 00000000 nt!MmAccessFault+0x8e7
ef944674 80537c53 00000001 e18ad000 00000000 nt!KiTrap0E+0xcc
ef944708 f9199316 e188b02c e202bae4 821f3278 nt!memmove+0x33
ef94472c f919a062 00000226 81bd7568 ef944758 fltMgr!FltpGetFileName+0x146
ef94473c f9197c79 81bd7568 00000000 81bd7568 fltMgr!FltpGetOpenedFileName+0x18
ef944758 f919a18e 81bd7568 00000000 81bd7568
fltMgr!FltpCallOpenedFileNameHandler+0x7f
ef944774 f919a76b 81bd7568 00000000 000000fe
fltMgr!FltpGetNormalizedFileNameWorker+0xc4
ef94478c f91982a2 81bd7568 00000000 81bd7568
fltMgr!FltpGetNormalizedFileName+0x19
ef9447a4 f9198365 8054bda0 81bd7568 ef9447d0
fltMgr!FltpCreateFileNameInformation+0x84
ef9447b4 f9188d4c 81bd7568 00000000 81bd7568
fltMgr!CreateTemporaryFileNameInformation+0xf
ef9447d0 f9188e48 81bd7568 81aa330c 00000000
fltMgr!HandleStreamListNotSupported+0x15e
ef9447fc f9189366 c00000bb 00000eec 804eff9c
fltMgr!FltpGetFileNameInformation+0xe8
ef944824 f0b5854e 00aa330c 00000101 ef944860
fltMgr!FltGetFileNameInformation+0x114
WARNING: Stack unwind information not available. Following frames may be wrong.
ef944844 f0b58282 81aa330c 00000101 ef944860 klif+0x2354e
ef944864 f0b58341 81aa330c 00000000 ef944884 klif+0x23282
ef944894 f0b50ea8 81aa330c 81d01ec0 00000000 klif+0x23341
ef94490c f9183ef3 81aa330c ef944930 e1958100 klif+0x1bea8
ef944974 f9186338 00aa32b0 00000000 81aa32b0
fltMgr!FltpPerformPostCallbacks+0x1c5
ef944988 f9186867 81aa32b0 81b752f8 ef9449c8 fltMgr!FltpProcessIoCompletion+0x10
ef944998 f9186ef9 81bba228 81b752f8 81aa32b0
fltMgr!FltpPassThroughCompletion+0x89
ef9449c8 f9193754 ef9449e8 00000000 00000000
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x269
ef944a04 804ef119 81bba228 81b752f8 81b752f8 fltMgr!FltpCreate+0x26a
ef944a14 80579616 81a8a838 81a0e5d4 ef944bbc nt!IopfCallDriver+0x31
ef944af4 805b5cbc 81a8a850 00000000 81a0e530 nt!IopParseDevice+0xa12
ef944b7c 805b2065 00000000 ef944bbc 00000040 nt!ObpLookupObjectName+0x56a
ef944bd0 8056d1bf 00000000 00000000 80605a01 nt!ObOpenObjectByName+0xeb
ef944d54 8053e638 00eee2ac 00eee284 00eee2d8 nt!NtQueryAttributesFile+0xf1
ef944d54 7c92e4f4 00eee2ac 00eee284 00eee2d8 nt!KiFastCallEntry+0xf8
00eee264 7c92d6fc 7c80b843 00eee2ac 00eee284 ntdll!KiFastSystemCallRet
00eee268 7c80b843 00eee2ac 00eee284 02e0001c ntdll!NtQueryAttributesFile+0xc
00eee2d8 7c81343b 02e0001c 02e0001c 00000104 kernel32!GetFileAttributesW+0x79
00eee59c 7d5ffcb4 02e0001c 00eee5c0 00000104 kernel32!GetLongPathNameW+0x62
00eee9d4 7d5fff3a 02e0001c 02e00010 02e0001c SHELL32!PathIsTemporaryW+0x68
00eefe4c 7d5ffece 02e00224 02e0001c 025e1420
SHELL32!CTaskAddDoc::_AddToRecentDocs+0x45
00eefe68 7d5c47ed 02e00224 001731c8 000dfdb0 SHELL32!CTaskAddDoc::RunInitRT+0x69
00eefe84 75ef1b9a 025e1418 75ef1b18 75ef0000 SHELL32!CRunnableTask::Run+0x54
00eefee0 77f49588 00180ff8 000f8d58 77f4956b
BROWSEUI!CShellTaskScheduler_ThreadProc+0x111
00eefef8 7c947aa2 000f8d58 7c99b440 0015bab8 SHLWAPI!ExecuteWorkItem+0x1d
00eeff40 7c947ae3 77f4956b 000f8d58 0009d5c8 ntdll!RtlpWorkerCallout+0x70
00eeff60 7c947ba5 00000000 000f8d58 0015bab8 ntdll!RtlpExecuteWorkerRequest+0x1a
00eeff74 7c947b7c 7c947ac9 00000000 000f8d58 ntdll!RtlpApcCallout+0x11
00eeffb4 7c80b713 00000000 0251de60 0251de60 ntdll!RtlpWorkerThread+0x87
00eeffec 00000000 7c930230 00000000 00000000 kernel32!BaseThreadStart+0x37

STACK_COMMAND: kb
FOLLOWUP_IP:
klif+2354e
f0b5854e 8bf8 mov edi,eax
SYMBOL_STACK_INDEX: 11
SYMBOL_NAME: klif+2354e
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: klif
IMAGE_NAME: klif.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4c5c43e5
FAILURE_BUCKET_ID: 0x50_klif+2354e
BUCKET_ID: 0x50_klif+2354e
Followup: MachineOwner

OSR_Community_User · November 26, 2010, 4:45am

It is quite probable you are not setting correct sizes somewhere in the file system (if the filter causing the issue were a legacy filter, I would point to
that filter first, but since FltMgr is getting the problem rather than a legacy filter directly, I believe it is your FS driver rather).
Turn on driver verifier on your driver (and possibly on all drivers on the stack, such as klif and fltmgr). That should help diagnose the issue.

It is definitely a buffer overrun issue. Note tha accessed address.

?? ? wrote:

Hi, all
My winxp sp3Â crashed after I rename a directory in root directory and do some
other operations. There is a fileÂ in the directory.Â The length of its name is
252 characters. The length of the directory’s nameÂ is 3 characters. The
directory and the fileÂ bothÂ belong toÂ my own file system. I can’t figure out
what’s wrong with it. Just hope someone can help me. Thanks in advance.
TheÂ following is the information from windbg:

–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.